Hashpass for Opera

Hashpass for Opera is a ported version of Hashpass for the Opera Web Browser. Hashpass is designed to make passwords less painful. It generates a unique password for every website you use, and you only have to memorize a single secret key.

Hashpass is deterministic, meaning that it will always generate the same password for any given site and secret key. It uses a well-known formula to generate the passwords, so you could even compute them yourself.

A key feature of Hashpass is that it's stateless. Hashpass never writes to the file system or makes network requests. There is no password database.

How passwords are generated

Suppose your secret key is bananas, and you're signing up for Facebook. Hashpass combines the current domain name and your secret key with a / as follows: www.facebook.com/bananas. It then computes the SHA-256 hash of that string. Then it hashes it again and again, 2^16 times in total. Finally, it outputs the first 96 bits of the result, encoded as 16 characters in Base64. In this example, the final output is sWwtmA9uA6X9SyXD. This result can be reproduced using the Python script near the bottom of this document.

If an adversary has your secret key, they have access to all of your accounts. Hashpass never reveals your secret key. But we must make sure that an adversary can't determine it from the generated passwords.

SHA-256 is one of the most widely-used cryptographic hash functions, and is considered unbroken at the time of this writing. This means that given a hash of a long and random string, an adversary can't recover that original string. However, secret keys produced by humans are not typically long, nor are they perfectly random. They often contain predictable words or phrases.

**It is strongly advised that you pick a key with at least 10 characters**

Click the Hashpass button and a window will pop up. Hashpass generates a password based on your key and the current domain [Screenshot 1].

Usually you will want to select a password field first. Then Hashpass doesn't show the generated password, giving you the option to fill in the field instead [Screenshot 2].